Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Alex Atkin UK]

It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.

Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings:

Date, Time, Computer, ISP, City, State, Application Hash

Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.

This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.

“Who cares?” I hear you asking.

Well, it’s not just Apple. This information doesn’t stay with them:

https://sneak.berlin/20201112/your-computer-isnt-yours/

Maybe a bit dramatic, but with modern analysis it is a cause for concern.

I wonder how this compares to the telemetry Microsoft collect?

[Weaver]

Is that true for iOS too? Don’t like that at all! 

I wonder if we could firewall this off?

Since Apple use privacy addresses with IPv6, then they can’t tell anything much about you if you do use IPv6. They can get stats on what apps are in use but the ‘by whom’ thing isn’t really doable in that case. And with IPv4 a lot of users have dynamic addresses from their ISPs anyway.

[displaced]

It's an RFC 6960 OCSP certificate revocation check... and it's the developer certificate whose hash is checked, not an individual application cert.

And this only applies to apps that have a developer certificate. macOS doesn't require these certificates be present, but will warn for apps that don't have one.  For unsigned apps, there's no certificate, and therefore no OCSP call.

Our machines are (or should be) sending OCSP requests very frequently, even non-Apple devices, since this is also how browsers check that HTTPS certs haven't been revoked.

OCSP as a protocol does have some privacy concerns, but they would apply to all applications of OCSP, including our browsers.

[stevebrass]

Apple response is https://support.apple.com/en-us/HT202491

[gt94sss2]

This doesn't sound good either: https://arstechnica.com/gadgets/2020/11/apple-lets-some-big-sur-network-traffic-bypass-firewalls/

[parkdale]

For the rest of us using Android mob's https://www.theregister.com/2020/11/14/google_android_data_allowance/

[sevenlayermuddle]

For the rest of us using Android mob's https://www.theregister.com/2020/11/14/google_android_data_allowance/

I've always wished somebody would start a suit like that.  Not just for Google, but for any App or OS that uses my bandwidth without my express permission, even just if checking for updates/downdates.

I don't think I agree with The Register that "Data sent over Wi-Fi is not at issue".  Just because it's not metered doesn't mean that stealing it isn't theft.

Can't help wondering though... might permission be buried somewhere in the small print of the hundreds of pages of T&Cs that most of us just tick without absorbing?